Table of Contents
Technical Details
Store administrator disables plug-ins
woocommerce/includes/admin/class-wc-admin-status.php
woocommerce/includes/log-handlers/class-wc -log-handler-file.php
Home Operation and Maintenance Safety How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce

How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce

May 13, 2023 pm 06:16 PM
wordpress woocommerce

Technical Details

The permission processing mechanism of WordPress is mainly implemented by providing different functions for different roles. When the store administrator role is defined, it will assign the edit_users function to this role, so that They can directly manage the store's customer account. The entire permission assignment process occurs during the installation process of the plug-in. woocommerce/includes/class-wc-install.php:

//Shop manager role.add_role(       'shop_manager',      // Internal name of the new role       'Shop manager',      // The label for displaying       array(               // Capabilities                ⋮              'read_private_posts'     => true,              'edit_users'             => true,              'edit_posts'             => true,                ⋮       ));
Copy after login

The role permission information will be stored in the database as WordPress core settings, which means that the user role is now independent of the plugin, even if the plugin is not enabled , and will not affect related role permissions.

When an authenticated user attempts to modify other user information, the current_user_can() function is called, and then ensures that only privileged users can perform this operation. Current_user_can() function call example:

$target_user_id= $_GET['target_user_id'];if(current_user_can('edit_user',$target_user_id)) {    edit_user($target_user_id);}
Copy after login

The verification logic of the call is as follows: This user wants to use the ID $target_user_id to modify a specific user. Does he have the permission to execute?

Under the default configuration, the edit_users function allows users with permissions (such as store administrators) to edit other users, even administrator users, and then perform operations such as password updates. For security reasons, WooCommerce needs to specify whether store administrators can edit users, so the plug-in needs to add meta permissions. Meta functions can be called by current_user_can(). The value returned by the function under the default behavior is true, but the value returned by the meta permission function can determine whether the current user can perform such an operation. The following is the abstract function code of the WooCommerce meta permission filter:

function disallow_editing_of_admins( $capability, $target_user_id ) {       // If the user is an admin return false anddisallow the action    if($capability == "edit_user"&& user_is_admin($target_user_id)) {        return false;    } else {        return true;    }}add_filter('map_meta_cap', 'disallow_editing_of_admins');
Copy after login

For example, when current_user_can('edit_user', 1) is called, the filter will determine that the ID is 1 ($target_user_id) Whether the user is an administrator, and based on the results, determine whether to allow the user to operate.

Store administrator disables plug-ins

By default, only administrators can disable plug-ins. However, this vulnerability allows store administrators to delete any writable file on the server, so we can prevent WordPress from loading the plug-in by deleting WooCommerce’s main file-woocommerce.php.

This file deletion vulnerability exists in the logging function of WooCommerce. The logs will be stored in the wp-content directory in the form of .log files. When the store administrator wants to delete a log file, he needs to submit the file name as a GET parameter. The code snippet shown below is the vulnerable part:

woocommerce/includes/admin/class-wc-admin-status.php

class WC_Admin_Status{    public static function remove_log()    {    ⋮        $log_handler = newWC_Log_Handler_File();       $log_handler->remove(wp_unslash($_REQUEST['handle']));}
Copy after login

woocommerce/includes/log-handlers/class-wc -log-handler-file.php

class WC_Log_Handler_File extends WC_Log_Handler{    public function remove($handle)    {    ⋮        $file = trailingslashit(WC_LOG_DIR) .$handle;    ⋮unlink($file);
Copy after login

The problem here is that the file name ($handle) will be added to the log directory (wp-content/wc-logs/) and then passed to unlink( )function. When setting "$handle../../plugins/woocommerce-3.4.5/woocommerce.php", file wp-content/wc-logs/../../plugins/woocommerce-3.4.5/woocommerce. php will be removed, causing WooCommerce to be disabled.

The above is the detailed content of How to solve the arbitrary file deletion vulnerability in WordPress plugin WooCommerce. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
1 months ago By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

PHP vs. Flutter: The best choice for mobile development PHP vs. Flutter: The best choice for mobile development May 06, 2024 pm 10:45 PM

PHP and Flutter are popular technologies for mobile development. Flutter excels in cross-platform capabilities, performance and user interface, and is suitable for applications that require high performance, cross-platform and customized UI. PHP is suitable for server-side applications with lower performance and not cross-platform.

How to change page width in wordpress How to change page width in wordpress Apr 16, 2024 am 01:03 AM

You can easily modify your WordPress page width by editing your style.css file: Edit your style.css file and add .site-content { max-width: [your preferred width]; }. Edit [your preferred width] to set the page width. Save changes and clear cache (optional).

How to create a product page in wordpress How to create a product page in wordpress Apr 16, 2024 am 12:39 AM

Create a product page in WordPress: 1. Create the product (name, description, pictures); 2. Customize the page template (add title, description, pictures, buttons); 3. Enter product information (stock, size, weight); 4 . Create variations (different colors, sizes); 5. Set visibility (public or hidden); 6. Enable/disable comments; 7. Preview and publish the page.

In which folder are wordpress articles located? In which folder are wordpress articles located? Apr 16, 2024 am 10:29 AM

WordPress posts are stored in the /wp-content/uploads folder. This folder uses subfolders to categorize different types of uploads, including articles organized by year, month, and article ID. Article files are stored in plain text format (.txt), and the filename usually includes its ID and title.

Where is the wordpress template file? Where is the wordpress template file? Apr 16, 2024 am 11:00 AM

WordPress template files are located in the /wp-content/themes/[theme name]/ directory. They are used to determine the appearance and functionality of the website, including header (header.php), footer (footer.php), main template (index.php), single article (single.php), page (page.php), Archive (archive.php), category (category.php), tag (tag.php), search (search.php) and 404 error page (404.php). By editing and modifying these files, you can customize the appearance of your WordPress website

How to search for authors in WordPress How to search for authors in WordPress Apr 16, 2024 am 01:18 AM

Search for authors in WordPress: 1. Once logged in to your admin panel, navigate to Posts or Pages, enter the author name using the search bar, and select Author in Filters. 2. Other tips: Use wildcards to broaden your search, use operators to combine criteria, or enter author IDs to search for articles.

Which version of wordpress is stable? Which version of wordpress is stable? Apr 16, 2024 am 10:54 AM

The most stable WordPress version is the latest version because it contains the latest security patches, performance enhancements, and introduces new features and improvements. In order to update to the latest version, log into your WordPress dashboard, go to the Updates page and click Update Now.

What language is used to develop WordPress? What language is used to develop WordPress? Apr 16, 2024 am 12:03 AM

WordPress is developed using PHP language as its core programming language for handling database interactions, form processing, dynamic content generation, and user requests. PHP was chosen for reasons including cross-platform compatibility, ease of learning, active community, and rich library and frameworks. Apart from PHP, WordPress also uses languages ​​like HTML, CSS, JavaScript, SQL, etc. to enhance its functionality.

See all articles